Cybersecurity has an asymmetry problem, and phishing is its sharpest example. The defender has to be right every time, across thousands of employees. The attacker has to get lucky once. But the asymmetry isn’t just about odds — it’s about money. What it costs to launch a phishing campaign and what it costs to survive one are separated by four or five orders of magnitude.
What it costs to run a campaign
Thanks to the phishing-as-a-service market, the price of entry has collapsed. Tycoon 2FA, the dominant platform of 2025, rented from $120 for ten days or about $350 a month. [1] EvilProxy ran roughly $150–$600/month; W3LL Panel $500 up front plus $150/month. [2] Simpler kits change hands for under $25. [3] That $120 doesn’t buy a static page — it buys MFA-bypass capability, evasion, hosting, templates and victim tracking. [4] A complete, modern campaign can be stood up for a few hundred dollars, and the kit scales to millions of emails for free.
What it costs to be the victim
Now the other side of the ledger. The average breach cost $4.44 million globally and $10.22 million in the US; breaches that start with phishing — the most common initial vector — averaged around $4.8 million. [5] If it becomes ransomware, the average extortion incident cost $5.08 million. [6] Business email compromise drained $2.77 billion across 21,442 reported incidents in 2024 — roughly $129,000 each. [7] In healthcare, the average breach hit $7.42 million. [8] And a single social-engineering-led intrusion cost Marks & Spencer an estimated £300 million in lost profit. [9]
The asymmetry, in one line
| Attacker | Victim | |
|---|---|---|
| Typical phishing campaign | ~$120–$350 | — |
| Average phishing-led breach | — | ~$4.8M |
| If it escalates to ransomware | — | ~$5.08M |
| A bad day at a large enterprise | — | ~£300M (M&S) |
This is why phishing dominates: not because criminals are uniquely sophisticated, but because the spreadsheet is irresistible. Failure is nearly free — rotate a domain and try again. One success funds years of attempts. And the tooling does the hard part.
Flip the economics
You can’t raise the attacker’s costs — but you can collapse their success rate, the one number their model can’t survive without.
Protect your business →Changing the math
Awareness training nudges the success rate down a little and fades. Blocklists catch yesterday’s campaigns but miss the freshly rotated domain. Detection that analyses the page and the email in real time, as they load attacks the one number the attacker’s business plan depends on: the hit rate. Drive enough campaigns to zero return, and the $120 that looked like free money starts looking like a bad bet.